On Federation Transactions, the Policy Server doesn't look in to the right User Store to find the User

Randomly, in a Federation Transaction, the Policy Server selects the wrong User Store to authenticate the user, and as such, the user being not found, it isn't authorized.

I've been observing this issue for a long time.

2 UDs which are mixed up, are using the same servers just a different root is set;

Environment :

Policy Server 12.5CR02 on RedHat 5 64bit;

Cause :

This issue is caused by a flaw in the directory key mapping for defining the User Stores. This is fixed in Policy Server 12.52.

Note that this issue is only be related to DNS names in that sense that the DirectoryMap is using the LDAP server name in 12.5. The Keys from this mapping are defined from the LDAP Directory namespace and server name. The fix modifies this. Policy Server uses User Directory Name (Name given in AdminUI) instead of the Server Name.

Resolution :

As Work Around set all ldap servers FQDN aliases in the /etc/hosts file on the Policy Server and AdminUI, and then configure with the AdminUI the ldap server listed in your User Store definition (with loadbalancing and failover) according to the aliases you've put in the /etc/hosts file;